Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-3472Code Injection in Ocean Extra

CWE-94Code Injection4 documents4 sources
Severity
9.8CRITICALNVD
CNA6.5
EPSS
17.3%
top 4.95%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Oceanwp Ocean Extra
Timeline
PublishedApr 22

Description

The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDoceanwp/ocean_extra< 2.4.7
CVEListV5oceanwp/ocean_extra2.4.6

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
Ocean Extra <= 2.4.6 - Unauthenticated Arbitrary Shortcode Execution2025-04-22
GHSA
GHSA-g4fm-73wh-j3m8: The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 22025-04-22

💥Exploits & PoCs

1
Nuclei
Ocean Extra <= 2.4.6 - Unauthenticated Shortcode Execution
CVE-2025-3472 — Code Injection in Oceanwp Ocean Extra | cvebase